The Low-Tech Answer to Election Hacks

Jeremy Hansen, PhD, knows a few things about elections. As a computer scientist and cybersecurity expert, Hansen studies the applications and social implications of technology, including election auditing. As a citizen, he is in the midst of his fourth run for state legislative office, campaigning for an open seat in the Vermont House of Representatives. Canvassing door to door, Hansen has been called a lot of names, both good and bad, and been bitten by a dog.

But that pain seems minor compared to how he feels about the vulnerability of our digital voting and election auditing systems. “In computer security, we always look for the single points of failure,” Hansen says, referring to flaws that can bring an entire system down. “Where is the juiciest target?”

Unfortunately, when it comes to the hardware, software, and humans that run our elections, there are many. Taking Vermont as an example, Hansen zeroes in on several easy targets: The computers used by town clerks to report local election results and the servers used by the Secretary of State to compile them.

And then there’s the more-subtle hack. Hansen notes that a single company in New Hampshire programs all the memory cards used to map paper ballots to the optical scanners that tally election results. Reprogram the geography of that ballot so that a percentage of votes cast for candidate Smith actually map to candidate Jones, and you’ve thrown an election. That hasn’t occurred. But the fact that it could should arouse our collective concern.

“The bigger picture, though, is that in a lot of states, there are voting systems that are connected to the Internet,” Hansen says. “That’s super bad.” If it’s on the web, it can and most likely will be hacked. Cell phones are also vulnerable. Which makes West Virginia’s recent proposal to allow voting by cell phone another face-palm cybersecurity moment, one that Hansen labels “bad ideas in election technology, episode 96.”

Hansen pins some of our current problems on the rush to go digital in the wake of the 2000 presidential vote debacle in Florida, which was exacerbated by punch-style paper ballots (i.e., the wrong kind). Remember dimples and hanging chads? The Helping America Vote Act of 2002 opened the federal spigot for local and state governments to buy electronic voting systems. But then, as now, cybersecurity was often an afterthought.

Part of the problem today, Hansen says, is that many voting systems haven’t been audited and they lack a paper trail. In many jurisdictions, voting is done entirely by touch screen—with no paper receipt. Want to vote for candidate Smith? Touch here. “That’s a lot of trust me,” he says. “One of the things that I remember my mom teaching me when I was six is, if someone ever says ‘trust me,’ the first thing you should do is not to trust them.”

Hansen has testified before the Vermont state legislature on election auditing. He says more transparency and assurance are needed to show that our elections are being conducted fairly and accurately. Vote tabulation software should be open source, Hansen says, noting that Vermont’s privately written vote-counting code has never been made public.

“For the most part, 99.5 percent of the time, I would say these are all working as advertised,” Hansen says. “But I work in this field and know how you can subvert software, how you can subvert hardware, and it’s not a stretch of the imagination to think that these could be compromised in some way.”

So what to do? Hansen says the simple solution is paper ballots. And he’s not alone. In a recent Washington Post opinion piece on how to thwart Russian President Vladimir Putin, former CIA deputy director Michael Morrell also advocated for paper ballots.

“Computers aren’t the solution for everything,” Hansen says. When it comes to backstopping our voting systems from outside interference, “the low-tech solutions are often better,” he adds. “It is as simple as having a paper ballot and looking at them afterwards.”

Some of Hansen’s research focuses on ways to statistically audit election results that don’t require checking every single ballot. Paper ballots are a key step. Analyzing them is essential. “If you have a bad hand count, you can figure that out. If you have a bad machine count, you can figure that out.” The same applies to other human errors or cases of outright manipulation.

Uncovering evidence of election hacking only goes so far. Without a paper trail, “there is no way to go back and check to verify that your results, that your outcome actually matches what the voters’ intents were,” Hansen says. And if we’re uncertain if our democratic principals were faithfully executed at the polls, “that’s a tragedy of democracy.”